{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-28389", "assignerOrgId": "3a12439a-ef3a-4c79-92e6-6081a721f1e5", "state": "PUBLISHED", "assignerShortName": "openssl", "dateReserved": "2026-02-27T13:45:02.161Z", "datePublished": "2026-04-07T22:00:53.364Z", "dateUpdated": "2026-04-07T22:00:53.364Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "OpenSSL", "vendor": "OpenSSL", "versions": [{"lessThan": "3.6.2", "status": "affected", "version": "3.6.0", "versionType": "semver"}, {"lessThan": "3.5.6", "status": "affected", "version": "3.5.0", "versionType": "semver"}, {"lessThan": "3.4.5", "status": "affected", "version": "3.4.0", "versionType": "semver"}, {"lessThan": "3.3.7", "status": "affected", "version": "3.3.0", "versionType": "semver"}, {"lessThan": "3.0.20", "status": "affected", "version": "3.0.0", "versionType": "semver"}, {"lessThan": "1.1.1zg", "status": "affected", "version": "1.1.1", "versionType": "custom"}, {"lessThan": "1.0.2zp", "status": "affected", "version": "1.0.2", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "reporter", "value": "Nathan Sportsman (Praetorian)"}, {"lang": "en", "type": "reporter", "value": "Daniel Rhea"}, {"lang": "en", "type": "reporter", "value": "Jaeho Nam (Seoul National University)"}, {"lang": "en", "type": "reporter", "value": "Muhammad Daffa"}, {"lang": "en", "type": "reporter", "value": "Zhanpeng Liu (Tencent Xuanwu Lab)"}, {"lang": "en", "type": "reporter", "value": "Guannan Wang (Tencent Xuanwu Lab)"}, {"lang": "en", "type": "reporter", "value": "Guancheng Li (Tencent Xuanwu Lab)"}, {"lang": "en", "type": "reporter", "value": "Joshua Rogers"}, {"lang": "en", "type": "remediation developer", "value": "Neil Horman"}], "datePublic": "2026-04-07T14:00:00.000Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Issue summary: During processing of a crafted CMS EnvelopedData message<br>with KeyAgreeRecipientInfo a NULL pointer dereference can happen.<br><br>Impact summary: Applications that process attacker-controlled CMS data may<br>crash before authentication or cryptographic operations occur resulting in<br>Denial of Service.<br><br>When a CMS EnvelopedData message that uses KeyAgreeRecipientInfo is<br>processed, the optional parameters field of KeyEncryptionAlgorithmIdentifier<br>is examined without checking for its presence. This results in a NULL<br>pointer dereference if the field is missing.<br><br>Applications and services that call CMS_decrypt() on untrusted input<br>(e.g., S/MIME processing or CMS-based protocols) are vulnerable.<br><br>The FIPS modules in 3.6, 3.5, 3.4, 3.3 and 3.0 are not affected by this<br>issue, as the affected code is outside the OpenSSL FIPS module boundary."}], "value": "Issue summary: During processing of a crafted CMS EnvelopedData message\nwith KeyAgreeRecipientInfo a NULL pointer dereference can happen.\n\nImpact summary: Applications that process attacker-controlled CMS data may\ncrash before authentication or cryptographic operations occur resulting in\nDenial of Service.\n\nWhen a CMS EnvelopedData message that uses KeyAgreeRecipientInfo is\nprocessed, the optional parameters field of KeyEncryptionAlgorithmIdentifier\nis examined without checking for its presence. This results in a NULL\npointer dereference if the field is missing.\n\nApplications and services that call CMS_decrypt() on untrusted input\n(e.g., S/MIME processing or CMS-based protocols) are vulnerable.\n\nThe FIPS modules in 3.6, 3.5, 3.4, 3.3 and 3.0 are not affected by this\nissue, as the affected code is outside the OpenSSL FIPS module boundary."}], "metrics": [{"format": "other", "other": {"content": {"text": "Low"}, "type": "https://openssl-library.org/policies/general/security-policy/"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-476", "description": "CWE-476 NULL Pointer Dereference", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "3a12439a-ef3a-4c79-92e6-6081a721f1e5", "shortName": "openssl", "dateUpdated": "2026-04-07T22:00:53.364Z"}, "references": [{"name": "OpenSSL Advisory", "tags": ["vendor-advisory"], "url": "https://openssl-library.org/news/secadv/20260407.txt"}, {"name": "3.6.2 git commit", "tags": ["patch"], "url": "https://github.com/openssl/openssl/commit/f80f83bc5fd036bc47d773e8b15a001e2b4ce686"}, {"name": "3.5.6 git commit", "tags": ["patch"], "url": "https://github.com/openssl/openssl/commit/16cea4188e0ea567deb4f93f85902247e67384f5"}, {"name": "3.4.5 git commit", "tags": ["patch"], "url": "https://github.com/openssl/openssl/commit/785cbf7ea3b5a6f5adf0c1ccb92b79d89c35c616"}, {"name": "3.3.7 git commit", "tags": ["patch"], "url": "https://github.com/openssl/openssl/commit/c6725634e089eb2b634b10ede33944be7248172a"}, {"name": "3.0.20 git commit", "tags": ["patch"], "url": "https://github.com/openssl/openssl/commit/7b5274e812400cacb6f3be4c2df5340923fa807f"}], "source": {"discovery": "UNKNOWN"}, "title": "Possible NULL Dereference When Processing CMS KeyAgreeRecipientInfo", "x_generator": {"engine": "Vulnogram 0.2.0"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Issue summary: During processing of a crafted CMS EnvelopedData message\nwith KeyAgreeRecipientInfo a NULL pointer dereference can happen.\n\nImpact summary: Applications that process attacker-controlled CMS data may\ncrash before authentication or cryptographic operations occur resulting in\nDenial of Service.\n\nWhen a CMS EnvelopedData message that uses KeyAgreeRecipientInfo is\nprocessed, the optional parameters field of KeyEncryptionAlgorithmIdentifier\nis examined without checking for its presence. This results in a NULL\npointer dereference if the field is missing.\n\nApplications and services that call CMS_decrypt() on untrusted input\n(e.g., S/MIME processing or CMS-based protocols) are vulnerable.\n\nThe FIPS modules in 3.6, 3.5, 3.4, 3.3 and 3.0 are not affected by this\nissue, as the affected code is outside the OpenSSL FIPS module boundary."}], "id": "CVE-2026-28389", "lastModified": "2026-04-07T22:16:21.030", "metrics": {}, "published": "2026-04-07T22:16:21.030", "references": [{"source": "openssl-security@openssl.org", "url": "https://github.com/openssl/openssl/commit/16cea4188e0ea567deb4f93f85902247e67384f5"}, {"source": "openssl-security@openssl.org", "url": "https://github.com/openssl/openssl/commit/785cbf7ea3b5a6f5adf0c1ccb92b79d89c35c616"}, {"source": "openssl-security@openssl.org", "url": "https://github.com/openssl/openssl/commit/7b5274e812400cacb6f3be4c2df5340923fa807f"}, {"source": "openssl-security@openssl.org", "url": "https://github.com/openssl/openssl/commit/c6725634e089eb2b634b10ede33944be7248172a"}, {"source": "openssl-security@openssl.org", "url": "https://github.com/openssl/openssl/commit/f80f83bc5fd036bc47d773e8b15a001e2b4ce686"}, {"source": "openssl-security@openssl.org", "url": "https://openssl-library.org/news/secadv/20260407.txt"}], "sourceIdentifier": "openssl-security@openssl.org", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-476"}], "source": "openssl-security@openssl.org", "type": "Secondary"}]}

{}

{}